Mutt/GnuPG doc initial release

Len Sassaman rabbi@quickie.net
Tue Sep 25 01:02:01 2001


The issue isn't PGP signing messages to mailing lists, it's the MIME
attachments.

Some of the mailing lists I am on strip MIME attachments altogether.
Others have web based archives. Others have digest versions.

Conventional PGP signatures still verify on all of these lists. PGP/MIME
does not.


--Len.

On Mon, 24 Sep 2001, Janusz A. Urbanowicz wrote:


> Alexander Skwar wrote/napisa=B3[a]/schrieb:
> [Charset iso-8859-1 unsupported, filtering to ASCII...]
> > So sprach _Janusz A. Urbanowicz_ am 2001-09-24 um 13:44:47 +0200 :
> > > Len Sassaman wrote/napisa?[a]/schrieb:
> > > > Frankly, it's poor netiquette to post PGP/MIME messages to mailing =
lists,
> > > > for one,
> > >
> > > Why?
> >
> > Because normally it's not that terribly important to see from which
> > person a mail orginated. You know, I don't know you, so even if your
> > mail would have been signed, it wouldn't mean more to me. Also Werner'=
s
> > mails to this list wouldn't mean more to me if they were signed, becaus=
e
> > he's also just a stranger.
>
> I don't think so.
>
> > So, it doesn't add anything which means that it's unneeded and thus poo=
r
> > netiquette.
>
> And I think you are wrong or haven't done proper threat analysis. Case 1:
> someone impresonating Werner posts a message about a bug in GnuPG and a
> patch to fix it. This patch actually plants a backdoor. In your approach,
> you have no way to tell nor it makes any difference to you.
> Case 2 (real life example): a friend of mine is an active usenetter, she
> also posts a lot to mailing lists. One day a sexually suggestive (at the
> verge of explicit) forged messaged attributed to her started to appear. P=
GP
> signing was the simplest way to make a good distinction of which messages
> come from her and which are forgeries.
>
> In saying about 'strangers' you forgot one thing: while on everyday use o=
f
> PGP there is little need to use it to establish RL identity, it is a very
> good and a convenietnt way of establishing origin. I don't care much if
> Werner's name is actually Werner, but I do care if new GPG releases come
> from its author.
>
> A good example is remailer-operator list. Anon remailer operators need no=
t
> to know each other's identities (I'm one of the few who reveal their name=
s)
> but need to know if given remailer configuration changes come from the
> remailer's operator (because of MITM).
>
> Alex
> --
> C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | =
| *
> ; (_O : +-------------------------------------------------------------+ =
--+~|
> ! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem ka=
=BFde z=B3o | l_|/
> A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF po=
dno; | |
>
-- Len Sassaman Security Architect | "I must play their game, of Technology Consultant | not seeing I see the game." | http://sion.quickie.net | --R .D. Laing